Table of Contents
F5’s Cookie-Management Model
F5 WAF organizes cookies into two enforcement categories:
- Allow
The policy ignores and permits changes to known cookie headers—useful for application-set cookies that don’t pose a security risk. - Enforce
The policy prevents any client-side modifications to specific cookies (e.g., session cookies). Any tampering triggers a Modified Domain Cookie violation.
Both allowed and enforced cookies can be placed into staging mode first—this lets you observe any impact (alert/deny events) without disrupting live traffic. Once you’re confident, you deploy them in enforce mode.
1. Adding (Enabling) a Cookie in the GUI
- In the top navigation, click the workspace icon → Security.
- From the left menu, select Policies (under WAF) and click your policy name.
- In the policy panel, click Headers → Cookies.
- Click Create to open the Cookie Properties panel.
- Cookie Name: Enter the exact name (e.g.,
JSESSIONID
) or use shell-style wildcards (session_*
) for multiple similar cookies. F5 supports*
,?
, and character-range syntax. - Cookie Type:
- Explicit: Exact name match.
- Wildcard: Pattern match via regular expression (advanced use).
- Enforcement Type:
- Allow (default): Permits the cookie.
- Enforce: Blocks any client alterations—and triggers a violation if modified.
- Staging: Toggle on if you want to monitor violations before enforcement.
- Mask Value in Logs: For sensitive cookies (e.g., auth tokens), hides the value in logs/UI.
- Check Attack Signatures: Applies WAF signature checks to allowed cookies only.
- Advanced View:
- Insert HTTPOnly Attribute: Adds
HttpOnly
to the response header, preventing client-side scripts from reading the cookie. - Insert Secure Attribute: Adds
SameSite
orSecure
flags to mitigate CSRF risks.
- Insert HTTPOnly Attribute: Adds
- Cookie Name: Enter the exact name (e.g.,
- Click Save (the cookie is added to the policy, but not yet active).
- Click Deploy to push changes to your BIG-IP instances.
Tip: Always add newly discovered cookies in Allow + Staging first, monitor for “Allow” alerts, then switch to Enforce once you’re confident.
2. Modifying an Existing Cookie
If your application changes cookie behavior (name, domain, flags), update its settings without deleting/recreating:
- Navigate back to Security → Policies, select the policy, then Headers → Cookies.
- Click the cookie name you wish to change—this reopens the Cookie Properties panel.
- Adjust Enforcement Type, Staging, or Advanced View attributes (you cannot change the cookie’s name or type).
- Click Save, then Deploy.
When to modify: moving from staging to enforce, adding
Secure
flags, or masking sensitive cookie values.
3. Changing Enforcement Status
To quickly switch a cookie between Allowed (staging) and Enforced:
- Go to Security → Policies → Headers → Cookies.
- Use the Status column checkboxes to select one or more cookies.
- Click Stage or Enforce as appropriate—confirm the action in the pop-up.
- Click Deploy to activate changes.
This lets you roll back enforcement if a new cookie unexpectedly breaks functionality.
4. Deleting a Cookie
When an application deprecates a cookie:
- Navigate to Security → Policies → Headers → Cookies.
- Select the cookie via its checkbox.
- Click Delete, confirm, then Deploy.
Removing unused entries keeps your policy lean and reduces audit clutter.
5. Automating via iControl REST API
For environments with dozens of policies or devices, script against the WAF API:
http
POST https://<BIG-IP>/mgmt/shared/iapp/secure-cookie-policies
Content-Type: application/json
X-F5-Auth-Token: <token>
{
"name": "JSESSIONID",
"enforcement": "enforce",
"staging": false,
"maskValue": true,
"attributes": {
"httpOnly": true,
"secure": true
}
}
- Authentication: Use token-based headers.
- Endpoints: Check
/waf/v2/policies/{policyName}/cookies
in your API spec. - Idempotency: Scripts should check for existing cookies before POST/PUT.
Pro Tip: Combine API calls with CI/CD pipelines to bake cookie rules into deployment manifests.
Comments